6.2
Table Of Contents
- View Agent Direct-Connection Plug-In Administration
- Contents
- View Agent Direct-Connection Plug-In Administration
- Installing View Agent Direct-Connection Plug-In
- View Agent Direct-Connection Plug-In Advanced Configuration
- View Agent Direct-Connection Plug-In Configuration Settings
- Disabling Weak Ciphers in SSL/TLS
- Replacing the Default Self-Signed SSL Server Certificate
- Authorizing Horizon Client to Access Desktops and Applications
- Using Network Address Translation and Port Mapping
- Add a Certificate Authority to the Windows Certificate Store
- Setting Up HTML Access
- Setting Up View Agent Direct Connection on Remote Desktop Services Hosts
- Troubleshooting View Agent Direct-Connection Plug-In
- Index
You can import this template file into Active Directory or the Local Group Policy Editor to simplify the
management of these configuration settings. See the Microsoft Policy Editor and GPO handling
documentation for details of managing policy settings in this way. Policy settings for the plug-in are stored
in the registry key:
HKEY_LOCAL_MACHINE Software\Policies\VMware, Inc.\VMware VDM\Agent\Configuration\XMLAPI
For smart card authentication, the certificate authority (CA) that signs the smart card certificates must be in
the Windows certificate Store. For information about how to add a certificate authority, see “Add a
Certificate Authority to the Windows Certificate Store,” on page 18.
NOTE If a user attempts to log in using a smart card to a Windows 7 or Windows Server 2008 R2 machine
and the Smart Card certificate has been signed by an intermediate CA, the attempt may fail because
Windows can send the client a trusted issuer list that does not contain intermediate CA names. If this
happens, the client will be unable to select an appropriate Smart Card certificate. To avoid this problem, set
the registry value SendTrustedIssuerList (REG_DWORD) to 0 in the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL. With this registry
value set to 0, Windows does not send a trusted issuer list to the client, which can then select all the valid
certificates from the smart card.
Disabling Weak Ciphers in SSL/TLS
To achieve greater security, you can configure the domain policy GPO (group policy object) to ensure that
communications that use the SSL/TLS protocol between Horizon Clients and virtual machine-based
desktops or RDS hosts do not allow weak ciphers.
Procedure
1 On the Active Directory server, edit the GPO by selecting Start > Administrative Tools > Group Policy
Management, right-clicking the GPO, and selecting Edit.
2 In the Group Policy Management Editor, navigate to the Computer Configuration > Policies >
Administrative Templates > Network > SSL Configuration Settings.
3 Double-click SSL Cipher Suite Order.
4 In the SSL Cipher Suite Order window, click Enabled.
5 In the Options pane, replace the entire content of the SSL Cipher Suites text box with the following
cipher list:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA
The cipher suites are listed above on separate lines for readability. When you paste the list into the text
box, the cipher suites must be on one line with no spaces after the commas.
6 Exit the Group Policy Management Editor.
7 Restart the VADC machines for the new group policy to take effect.
View Agent Direct-Connection Plug-In Administration
14 VMware, Inc.